Configuring External Authorization in Ingress Gateways
This document will describe how to configure Ingress Gateway external authorization using Open Policy Agent (OPA) as an example.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
In this example, httpbin will be used as the workload. Requests that come to Ingress GW will be checked by OPA. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response.
Following image shows the requests and response flow when using an external authorization system,you will deploy OPA as an individual service.
Deploy httpbin
Service
Follow all of the instructions in this document to create the httpbin
service.
Deploy OPA Service
Refer to the "Installing Open Policy Agent" document and create a policy for a basic authentication and deploy OPA as a standalone service
Configure Ingress Gateway
You will need to configure your Ingress Gateway again for httpbin
to use OPA. Create a file called httpbin-ingress.yaml
with the following contents:
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
organization: tetrate
name: httpbin-ingress-gateway
group: httpbin
workspace: httpbin
tenant: tetrate
spec:
workloadSelector:
namespace: httpbin
labels:
app: httpbin-ingress-gateway
http:
- name: httpbin
port: 443
hostname: "httpbin.tetrate.com"
tls:
mode: SIMPLE
secretName: httpbin-certs
routing:
rules:
- route:
host: "httpbin/httpbin.httpbin.svc.cluster.local"
port: 8000
authorization:
external:
uri: grpc://opa.opa.svc.cluster.local:9191
Apply the configuration using tctl apply
:
tctl apply -f httpbin-ingress.yaml
Testing
You can test the external authorization by sending HTTP requests from an external machine or your local environment to the httpbin
Ingress Gateway.
In the following example, since you do not control httpbin.tetrate.com, you will have to trick curl into thinking that httpbin.tetrate.com resolves to the IP address of the Ingress Gateway.
Obtain the IP address of the Ingress Gateway that you previously created using the following command.
kubectl -n httpbin get service httpbin-ingress-gateway \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
Then execute the following command to send HTTP requests to the httpbin service through the Ingress Gateway. Replace the gateway-ip
with the value you obtained in the previous step.
Remember that the example OPA policy contains two users alice
and bob
that can be authorized using basic authentication.
The following command should display 200
. Similarly, changing the username to bob
should also display 200
curl -u alice:password "https://httpbin.tetrate.com/get" \
--resolve "httpbin.tetrate.com:443:<gateway-ip>" \
--cacert certs/httpbin-ca.crt \
-s \
-o \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
The following command provides the wrong password to user alice
. This should display 403
.
curl -u alice:wrongpassword "https://httpbin.tetrate.com/get" \
--resolve "httpbin.tetrate.com:443:<gateway-ip>" \
--cacert certs/httpbin-ca.crt \
-s \
-o \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"
Finally, if you provide any other user than alice
or bob
, it should display 403
curl -u charlie:password "https://httpbin.tetrate.com/get" \
--resolve "httpbin.tetrate.com:443:<gateway-ip>" \
--cacert certs/httpbin-ca.crt \
-s \
-o \
-w "%{http_code}\n" \
-H "X-B3-Sampled: 1"